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(54) AES Encryption circuit 



(57) A round processing unit In an encryption circuit 
comprises: a first Round Key Addition circuit (204) that 
adds a round key value to input data; an intermediate 
register/Shift Row transformation circuit (206) thattenv 
porarity stores the output of the ifirst Rou nd Key Addition 
circuit (204) and executes Shift Row transfonnation; a 
Byte Sub transfomation circuit (207) Into which the val- 
ues of the intermediate registeryshift Row transforma- 
tion circuit (205) are inputted and which executes Byte 
Sub transformation; a second Round Key Addition cir- 
cuit (208) into which the values of the intennediate reg- 
ister/Shift Row transfonnation circuit (206) are Inputted 



and which adds round key values; a Mix Column trans- 
fonnatlon circuit (210) that executes Mix Column trans- 
fomnation upon the outputs of the second Bound Key 
Addition circuit (208); and a second selector (203) that 
outputs to the second Round Key Addition circuit (204) 
one of the outputs of a first selector (202), the Interme- 
diate register/Shift Rowtransfonnation circuit (206), the 
Byte Sub transformation circuit (207), and the Mix Col- 
umn transforniationdncult (210). Such an encryption cir- 
cuit reduces a scale of circuit and can achieve a certain 
leve! of high-speed processing bi the Implementation of 
the AES block cipher. 
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Description 

BACKGROUND OF THE INVENTION 
s Technical Field 

[0001] The present Invention relates to an encryption circuit for Implementing in hardware the Rljndae! algorithm, 
which is the next generation common l<ey blocic encryption standard, known as the AES (advanced encryption stand- 
ard), and wifl replace the current common.key block encryption standard in the US, ca»ed DES. 

10 

Description of Related Art 

[0002] A great variety of services are being considered that invoh^e the Internet. Including electrorilc commerce and 

electronic money. These technologies are used not Just In the daily Dves of Individuate, but also in a wide range of 
IS fields. Including transactions among corporations and improving productivity. In particular, it is expected that encryption 

functions will be loaded onto smart cards, and nnobfle handsets, for the purpose of verifying the identity of individuals, 

and that these technologies wfll be widely used for authentication, digital signatures, and data encryption. 

[0003] Common key cryptography is used In these applications to prevent third parties from tapping on the internet. 

The current standard adopted In the US for common key cryptography is DES; as its replacement, the AES (advanced 
^ encryption standard), known as the Rijndael afgortthm, has been selected to be next generation common key block 

cryptography standard, and this algorithm is becoming the riew standard. (The AES draft Is aval1ai)le at http://c5rc.nist. 

gov/publfcations/drafts/dfips-AES.pdf) 

[0004] AES is a blocl( cipher for processing in block lengths of 128 bits, and the encryptten algorithm, as shown In 
FIG. 1, is thought to be executable by an encryption circuit comprising a round function unit 20 and a key schedule 
25 unit 1 0. The round functton unit 20,comprlses an input register 21 that temporarily stores input data, an XOR processing 
unit 22 that XORs the input data and expanded key segmont. a round processing unit 23, a final round processing unit 
24 and an output register 25 that temporarily stores output data. 

[0005] The round processing unit 23 comprises a Byte Sub transfomnatlon unit 31 , a Shift Row transformation unit 
32, a Mix Column transfonnation unit 33 and a Round Key Addition unit 34; the final round processing unit 24 performs 
so the processing of the round processing unit 23 except for the Mix Column transfonmatlon 33; It compr ises a Byte Sub 
transformation unit 35, a Shift Row transfonnation unit 36 and a Hound Key Addition unit 37. 
[0006] Round processing Iterated; the number of rounds Nr including the final round depends on the key length 
inputted into the key schedule unit 1 0, and is defined as shown in Table 1 . 

3S \ [Table 1] . . 



40 



Key Length and Number of Rpuncb 


Key l.ength 


Nr 


128bit 


. • 10 • 


I92bit 


12 


256bit 


14 



[0007] Thus for each key length round processing is executed Nr-1 times, and at the end the final round processing 
is executed. When the key length Is 128 bits, round processing is executed 9 times; when 192bit8,11 times; and when 
256 bits, 13 times; and then in each case the final round proces^ng Is executed. Round keys generated at the key 
schedule unit 10 are Inputted into the XOR processing unit 22. round procaeeing unit 23 and final round processing 
unit 24. 

[0008] The key schedule unit 10 generates round keys based on the key generation schedule specffled In the AES 
draft; that algorithm is shown in FiG. 2. - 

[0009] The AES Proposal specification (AES Proposal: Rijndael. at http'y/csrc.nlst.gov/encryptlon/aes/rijndael/RlJn- 
dael.pdf) intpduces 2 hardware implementations for AES block ctph er circuits. 

[0010] One of these Is a method for hardware implementation, in 128 bit units, of all the functions shown In FIG. 1 
as they are (hereinafter, "conventional example 1 In this case, for encryption and decryption, the order of processing 
of the functions Is reversed, and thus it Is necessary to prepare separate processing circuits for encryption and de- 
cryption. 

[001 1] Also, because, as shown in Tabto 1 , it is necessary to change the number of times raund processing is exe- 
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cuted depending upon the key length, It Is necessary to create circuits for each key length, 

[0012] Furthermore, because of the reversal of orderbetween encryption and decryption, the order of key generation 
in the key schedule unit 1 0 forthe round keys used In the round function unit 20 has to be reversed between encryption 
and decryption. Therefore, eitherthere has to be 2 separate key schedule units, for encryption andfor decryption, or 

s a method has to be devised for using the key schedule unit 1 0 for both encryption and decryption. 

[0013] The second method, as shown In FIG. 3, Involves creating acoprocessor50that hasa Byte Sub transformation 
unit 51 and a Mix Column transfcmnatlon unit 52, and Implementing in hardware only the Byte Sub transformation &nd 
the Mix Column transfomnatlon functions, and having all other functions incorporated as software Into a program -41 , 
and then processing with a CPU 40 (hereinafter, "conventional example 2"). 

10 [0014] In this case, Byte Sub transformation and Mix Column transfomiation, which are unsulted tor processing by 
the CPU 40 for reasons of processing time, are implemented In hardware as the coprocessorSO, and the other process- 
ing Is processed by the program 41 stored in the CPU, thus allowing the circuit scale to be reduced. 
[0015] If we suppose that the AES blocl< cipher is to be incorporated into a smart card or the lll<e, the functions 
required of an encryption circuit would be to maintain a certain level of processing speed, while keeping the scale of 

IS the circuit small. With these requirements, the conventionally proposed method of Implementing all the functions in 
128-bit units results In the scale of drcuit being too large, making the loading thereof onto a smart card difficult. With 
the method of Implementing In hardware only the Byte Sub transfonrotlon and the Mix Column transformation, and 
processing the other functions with software, there Is the problem of the processing speed requirements not being 
fulfilled. 

a> [0016] Moreover, wltti the key scheduio unit 10 that genenates the round, keys, if all the round keys are stoned in 
memory, a large-capacity memory is needed, and this would make the scale pf circuit large. Therefore, In order to 
reduce the scale of circuit wfthout reducing processing speed, it Is desirable to generate round keys with a circuit 
constitution that does not require storing the entire expanded key in memory. 

25 SUMMARY OF THE INVENTION 

[001 7] It is a n object of the present invention to present an encryption circuit that |s small In scale and that can achieve 
a certain level of processing speed when Implementing the AES block cipher. 

[0018] The present invention provides an encryption circuit that generates from a cipher key a plurality of round keys 
so leaving a number of bits con^sponding to a predetemnlned processing block length and executing, for each processing 
block length, input data and round key encryption/decryption processing, by means of a round function unit comprising 
an XOR operation unit that XORs the Input data and one of the round keys and a round processing unit that Iterates 
round- processing that Includes Byte Sub transfomiation, Shift Row transformation, Mix Column transfomiatfon and 
Round Key Addition, wherein: 

35 the round processing unit comprises: a first selectorthat segments input data Into execution block lengths smallerthan 
the processing block length; a first Round Key Addition circuit that adds the round key value to Input data for each the 
execution block length; an intennedlate register/Shift Row transformation circuit that temporarily stores the output of 
the first Round Key Addition circuit and executes Shift Row transfomiation using the processing block length; a Byte 
. Sub transformation circuit wherein the I ntermedate register/Shift Row transformation circuit value Is Inputted for each 

40 the execution bfock length and Byte Sub transfomiation Is executed; a second Round Key Addition circuit wherein the 
intennedlate register/Shift Row transfomriation circuit value Is inputted for each the execution block length and the 
round key value Is added for each the execution block length; a Mix Column transformation circuit executing Mix Column 
tmnsfomatron on the output of the second Round Key Addition circuit; and a second selector that outputs to the first 
Round Key Addition citcuit one output from among the outputs of the first selector, intermediate register/Shift Row 

^ . transformation circuit, Byte Sub transformation circuit, or Mix Column transformation drcuit. 

[0019] Here, the execution block length can be a multiple of a bits, the processing block length can be 128 bits and 
the execution block tength can be 32 bits. 

[0020] Further, the key length of the cipher key can be any of 128 bits, 192 bits or 256 bits. 

[0021] Also, tfiB Byte Sub transfonnation circuit can comprise a matrix operation unit for decryption that executes a 
so matrix operation on input data; a third selector that outputs either the Input data or the output of the matrix operation 

unit for decryption; an Inverse operation unit for executing an inverse operation on the data outputted from the third 
. selector, a matrix operation unit for encryption that executes a maitrtx operation on the data outputted from the Inverse 

operation unit; and a fourth selector that outputs either the output of the Inverse operation unit or the output of the 

matrix operation unit for encryption . 
S5 [0022] Further, the matrix operation unit for decryption and the matrix operation unit for encryption comprtses an 

XOR drcuit so as to pert^orm 8-blt operations at one dock cycle and the matrix openatlon unit for decryption and the 

matrix operation unit for encryption comprises an XOR circuit so as to perfomn 1-blt operations at one clock cycle. 

[0023] Also, the Intermediate register/Shift Row transfonnation circuit can be usedfor both encryption anddecryption 
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through the reversal of order of rnput of shift data relating to amount of shift for data to be inputted into the intermediate 
register/Shift Row transformation circuit, the input order for decryption being the reverse of the order for encryption. 
[O024] Further, the Mix Column transformation circuit can comprise a pluralrty of multiplication units with unique 
muftlpllers and an XOR circuit that perfonris XOR operations for the plurality of multiplication units, the Mix Column 

s transformation circuit executing a matrix operation between data Inputted Into each multiplication unit and the multiplier 
established for each multiplication unit. In this case, the Mix Column transfomiation circuit comprises 4 operation units 
having 4 multiplication units capable of B-btt unit operations and XOR circuits that execute XOR operations based on 
the outputs of the 4 multiplication unite. This multiplication units can control 2 multipl iers and are used for both encryption 
and decryption and the multiplication units can be constituted to control addition values from high-order bits. 

10 [0Q25] Also, an encr^tlon circuit can be constituted so as to have a key expansion schedule circuit that generates 
from the cipher key, as an expanded key segmented into bit numtjers corresponding to the execution block length, a 
plurality of round keys with bit numbers con-espondlng to a predetemrtlned processing block length. The key expansion 
schedule circuit comprises: 

IS a fifth selector that segments a cipher key into the number of bits conresponding to the execution btock length and 

outputs the same; 

a shift register to which fJIp-flop circuits are connected at a plurBllty of stages, the flip-flop circuits latching data In 
units of the execution block length; 

a first XOR circuit that XORs the output of the final stage flip-flop droult of the shift register with one constant 
so selected from among a group of constants; 

a sixth selector Into which are inputted the outputs of those flip-flops of the shift register that are involved in oper- 
ations for encryption and the outputs of those flip-flops involved in operations for decryption, and which selectively 
outputs one of these; 

a Rot Byte processing circuit that rotates the output of the sixth selector; 
25 a seventh selector into which the output of the sixth selector and the output of the Rot Byte circuit is inputted and 

which selectively outputs one of these; 

a Sub Byte processing circuit that executes Byte Sub transformation oh the output of the seventh selector for each 
the execution block length; 

an eighth selector Into which the output of the sixth selector and the output of the Sub Byte processing circuit are 
30 inputted, and which selectively outputs one of these; 

a second XOR droult that executes an XOR operation based on the output of the first XOR circuit and the output 
of the eighth selector; and 

a shift register unit setector'that selectively outputs, to those flip-flops of the shift register the outputs of which are 
subject to operations for encryption, either the output of the second XOR circuit or the output of the adjacent stage 
35 fflip-nop. 

[0026] Here, the shift register comprises 8 flip-flops executing data processing in 32-bIt units, and the sixth selector 
Is constituted so that the outputs of the second, fourth, sixth and ejghth flip-flops from Ihe bottom from among the flip- 
flops are inputted therein, and that It outputs one of these. 

^0 [0027] Also, through the input into the seventh selector of the output of the intermediate register/Shift Row transfor- 
mation circuit and the Input into the second selector of the output of the Sub Byte processing circuit, a single circuit 
can be used for the Sub Byte processing circuit and the Byte Sub transformation circuit of the round processing unit, 
[0028] From the following detailed description In conjunction with the accompanying drawings, the foregoing and 
other objects, features, aspects and advantages of the present Invention will become raadJ jy apparent to those skilled 

^ In the art * . * 

BRIEF DESCRIPTION OF THE DRAWINGS 

[0029] 

SO , 

• FIG. 1 1s a block diagram of AES processing using the Rljndael algorithm; 
FIG. 2 is a key schedule program ^t; 

FIG. 3 is a block diagram showing one envisioned circuit implementation; 

FIG. 4 is a block diagram of a round function unit adopted in a first embodiment of the present invention; 
ss FIG. 5 is a block diagram showing an intermediate reglster^Shlfl Row transformation drcult; 

FIG. 6 Is a block diagram showing a Mbc Column transfonmatlon circuit; 
FIG. 7 is a block diagram showing the constitution of a multiplication unit; 
FIG. 8 rs a block diagram, showing another constitution of a multiplication unit; 
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FIG. 9 is a block diagram showing a key scliedule unit; 
FIG. 10 is a block diagram showing a Byte Sub transformation circuit; 
RG. 11 is a block diagram showing a matrix operation circuit for encryption; 
FIG. 12 is a block diagram showing a matrix operation circuit for decryption; 
5 FIG. 1 3 Is a block diagram showing another example of a matrix operation circuit for encryption; and 

FIG. 1 4 Is a block diagram showing another example of a matrix operation circuit for decryption. 

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS 

10 Round Function Unit 

[0030] The AES block cipher Is an algorithm that encrypts/decrypts the 128 bit data with the 128 bit, 1 92 bit or 256 
bit key. As shown in FIG, 1 , it comprises a key schedule unit 1 0 that generates a plurality of round keys from the cipher 
key, arid a round func^'on unit 20 that uses the round keys inputted from the key schedule unit 10 to encrypt and decrypt. 

IS The pund function unit 20 perfonns such prcx^esslng as XOR operations. Byte Sub transformation processing, Shift 
Row transfomiation processing, Mix Column transfomnatlon processing, Round Key Addition pmcesslng. 
[0031] The first embodiment of the present Invention Is a cjrcuii for implementation of this round function unit 20, 
and the constitution of this circuit Is shown In FIG. 4. Each circuit block executes 32-bit processing with the exception 
of Shift Row transformation processing, which fs 1 28-bit processinig; transfer of data between circuit blocks Is executed 

50 in 32-bit units. 

[0032] This round function unit contains: an input register 201 that temporarily stores input data; a first selector 202 
that selects 32-blt data from the 128-bit Input data; a second selector 203 Into one Input terminal of which the output 
of tine first selector 202 Is inputted; a first Round Key Addition circuit 204 into which the output of the second selector 
203 IS inputted; an add data selector 205 that Inputs Into the first Round Key Addition circuit 204 an expanded key 

2s segment or "O"; an intemnedlato reigister/Shift Row transfonDatlon circuit 206 that stores the output value of the first 
Round Key Additiipn circuit 204 and executes Shift Row transformation in 128-blt units; a Byte Sub transformation 
cirpult 207 Into which intermediate register/Shift Row transformation circuit 206 values are inputted and which executes 
Byte Sub transformation; a second Round Key Addition circuit 208 Into whictr Intermediate register/Shift Row transfor- 
mation cl«:uit 206 values are Inputted for each 32 bits; an add data selector 209 which inputs into the second Round 

50 Key Addition d rcult 208 an expanded key segment or "0"; and a i\4ix Column transfonnatlon circuital 0 which executes 
Mix Column transfomnatlon on the output of the second Round Key Addition circuit 208. The outputs pfth© finst selector 
202, Byte Sub transfomiation circuit 207, Mix Column transformation circuit 210, and. Intermediate registeryshlft Row 
transformation circuit 206 are inputted into the second selector 203, and one of these outputs is outputted to the first 
Round Key Addition circuit 204. 

35 ■ . ■ ' 

Operation Schedule during Encryptton 

[0033] The operation scfieduie during encryption in the round function unit is shown in l&ble 2. 

40 
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f Table 2] 



Round Function Operation Schediria 



5 


Pound 


Cycb 


Processing 


SEUB 




0 


0O{HX)3 


Round Key Addition 


a 


10 




004-007 


Byte Sub Transformation 


b 


t 


008 


Shift Row Transformation 


c 


15 




009H)12 


Mix Column TraMomiation 
Rouhd Key Addition 


c 




013-016 


Byte Sub Transf orrnation 


b- 




2 


017 


Shut Row transfonnation 


c 


on 




018-021 


Mix Column Transformatlw 
Rtound Key Addition 














25 




- 
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#1 . 


Byte Sub Transformation 


. b 






{NM)*9-1 


Shift Row Transfornnatlon 


■ c ■ 


30 




(Nr-1)*9+3 


Mix Column Transformation 
Round Kay Addison 


c 






. «2 


Byte Sib Transfonmation 


b 


35 


Nr 


Nr*9-1 


Shift Row Transformation 


d 






Nr*9'- 


Round Key Addition 


d 



40 



45 



#1:(Nr-l)*9-5-^(Nr-l>9-2 
»:Nr*9-5-.Nrrt"2 

Note: The table shows operations during encryptioa 
In decryptioa the order of round key and Mix 
Column prooeastngs is swftohed. 



so 



[0034] Here, In round 0, addition of an expanded key segment is executed by the first Round Key Addition circuit 
204 with a selector position of "a" for the second selector 203. input data In the Input register 201 is selected in 32 bit 
units by the first selector 202 and inputted into the first Round Key Addition circuit 204, and to this is added a portion 
of a round key, inputted from the i<ey schedule unit, this portion being a 32-bit segment of the expended key. While the 
input data and the expanded l<ey are being changed Into 32-bit units, the first Round Key Addition circuit 204 executes 
addition processing, and the XOR processing of the XOR unit 22 in RG, 1 Is thereby executed on 1 28-bit processing 
blocics In the 4 cycles of cycles 000 through 003. The result of the operation by the first Round Key Addition circui 204 
Is stored in order in 32-bit units in the intemiediate register/Shift Row transfonnation circuit 206. 
[0035] in round 1 , the round processing 23 in FIG. 1 Is executed, and Byte Sub transfonnatlon processing 31 , Shift 
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